The most notorious instances of commercial spyware

Commercial spyware — what it is, how it infiltrates devices, what it can do once inside, and how to defend against it.

What commercial spyware is, and what different types there are

Commercial spyware has of late been making the headlines with increasing frequency. And we’re not just talking about media channels dedicated to IT or cybersecurity; reports on commercial spyware have been appearing regularly in mainstream media for some time now.

In this post, we discuss the existing commercial spyware packages, how they operate, what they’re capable of, and why they’re dangerous. And as always, we finish with advice on how to defend against them.

What is commercial spyware?

Let’s start with a definition. Commercial spyware is legal malware created by private companies and designed to conduct targeted surveillance and collect sensitive data from users’ devices. The standard tasks of commercial spyware include stealing messages, eavesdropping on calls, and tracking location.

To install commercial spyware on a victim’s device, attackers often use zero-day vulnerabilities, and in many cases — zero-click exploits, which make infection possible without requiring any action on the part of the victim.

Spyware always tries to be as inconspicuous as possible, for the longer the victim remains unaware of the infection, the more information attackers can gather. Moreover, commercial spyware often includes tools for removing traces of infection, so victims may not even suspect afterward that someone was monitoring them.

Although commercial spyware is developed by private companies, they typically sell it to various government organizations — primarily law enforcement and other security agencies.

As a result, commercial spyware is used, among other things, to monitor civilian activists, journalists, and other non-criminal individuals. In fact, that’s exactly why spyware programs regularly make the headlines.

1. Pegasus — NSO Group

Targeted OS: iOS, Android

Zero-day vulnerability exploitation: Apple iOS, Apple Safari, WhatsApp, Apple iMessage

Zero-click exploit use: yes

Country of origin: Israel

Alternative names: Chrysaor, DEV-0336, Night Tsunami

Now let’s talk about specific companies, starting with the most prominent player in the commercial spyware market — the notorious Israeli NSO Group, developer of the iOS spyware Pegasus, and its Android version Chrysaor. The early version of Pegasus, discovered in 2016, required the victim to click on a sent link, which opened a malicious page in a browser, which in turn triggered an automatic infection mechanism using the Trident exploit.

How Pegasus attacks were conducted in 2016

How Pegasus attacks were conducted in 2016. Source

The ability to infect iPhones using zero-click exploits quickly became a hallmark of Pegasus. For example, a few years ago, an attack on Apple smartphones exploited a vulnerability in WhatsApp voice calls activated with a series of malicious packets. The vulnerability, in turn, enabled remote code execution on the targeted device.

The FORCEDENTRY exploit, discovered by Citizen Lab in 2021 and thoroughly researched by the Google Project Zero team, is the most notorious. It was designed to attack the Apple iMessage system, enabling spyware to be launched on the victim’s iPhone after sending them a message containing a GIF file.

However, this file wasn’t an animated image at all but rather an infected PDF document in which a compression algorithm was used. When the victim’s smartphone attempted to preview the document, a vulnerability in the program responsible for handling this compression algorithm was triggered, leading to execution of a chain of exploits and, ultimately, infection of the device.

After this exploit was discovered, Apple patched the vulnerabilities. However, as it later turned out, NSO Group simply moved on to exploit vulnerabilities in other applications as if nothing had happened. In April 2023, the same Citizen Lab published research on the FINDMYPWN and PWNYOURHOME exploits. The former was linked to a vulnerability in Apple’s Find My app, while the latter targeted its HomeKit. However, the ultimate target for both of these exploits was the same: the iMessage messaging system.

Lockdown Mode messages during the PWNYOURHOME exploit attack

Lockdown Mode messages about blocking PWNYOURHOME exploit attacks. Source

Finally, in September 2023, Citizen Lab released information about another exploit used by NSO Group: BLASTPASS. This exploit works similarly — also activating a vulnerability in iMessage — but this time related to the mechanism for sending Apple Wallet objects, such as event tickets, in messages.

Regardless of the specific attack vector, infection results in attackers gaining access to the victim’s messages, intercepting calls, stealing passwords, and tracking location. The geographical reach of this spyware is massive — and the corresponding section of the Pegasus Wikipedia entry occupies an impressive amount of space.

2. DevilsTongue, Sherlock — Candiru

Targeted OS: Windows, macOS, iOS, Android

Zero-day vulnerability exploitation: Microsoft Windows, Google Chrome

Zero-click exploit use: likely

Country of origin: Israel

Alternative names: SOURGUM, Caramel Tsunami, Saito Tech Ltd.

Another Israeli company that develops commercial spyware is Candiru, founded in 2014. In fact, this is only the first of the various names this cyber-espionage organization have used. Since they constantly change their moniker, it’s likely they’re working under a different one now. It’s known that Candiru is backed by several investors associated with NSO Group. However, unlike NSO Group, Candiru is much more secretive: the company has no website, its employees are forbidden to mention their employer on LinkedIn, and in the building where Candiru has its office, you won’t find any mention of it.

Candiru regularly changes its official names

Official names changed by Candiru from 2014 to 2022. Source

Candiru’s activities have not been thoroughly studied yet — all the information we have is limited to leaked documents and a couple of incident investigations involving spyware developed by this company. For example, Microsoft’s investigation uncovered several zero-day vulnerabilities in the Windows operating system that Candiru exploited. There were also several zero-days in the Google Chrome browser, which Candiru probably exploited as well.

The company’s spyware is called DevilsTongue, and has multiple attack vectors — from hacking devices with physical access and using the man-in-the-middle method, to spreading malicious links and infected MS Office documents.

Description of the capabilities of Candiru's spyware

Capabilities of the DevilsTongue spyware developed by Candiru. Source

Candiru also offers a spy tool called Sherlock, which the researchers at Citizen Lab say could be a platform for zero-click attacks on various operating systems — Windows, iOS, and Android. Furthermore, there are reports that Candiru was developing spyware for attacks on macOS.

3. Alien, Predator — Cytrox / Intellexa

Targeted OS: Android, iOS

Zero-day vulnerability exploitation: Google Chrome, Google Android, Apple iOS

Zero-click exploit use: no (but something similar where the Mars complex is used)

Country of origin: North Macedonia / Cyprus

Alternative names: Helios, Balinese Ltd., Peterbald Ltd.

Alien is one of the two components of this spyware. It’s responsible for hacking the targeted device and installing the second part — necessary for setting up surveillance. This second part is called Predator — in homage to the movie.

The spyware was initially developed by Cytrox, founded in 2017. Its roots are in North Macedonia, with related subsidiary companies registered in both Israel and Hungary. Cytrox was later acquired by Cyprus-registered Intellexa, a company owned by Tal Dilian, who served 24 years in high-ranking positions in Israeli military intelligence.

The Alien/Predator spyware focuses on attacks on both the Android and iOS operating systems. According to last year’s Google Threat Analysis Group study, the developers of the Android version of Alien utilized several exploit chains — including four zero-day vulnerabilities in Google Chrome and one in Android.

Alien/Predator attacks started with messages to victims containing malicious links. Once clicked, these links directed victims to the attackers’ website, which exploited the vulnerabilities in the browser (Chrome) and OS (Android) to infect the device. It then immediately redirected the victim to a legitimate page to avoid suspicion.

Intellexa also offers the Mars spyware suite — part of which is installed on the victim’s mobile-operator’s side. Once installed, Mars waits for the targeted individual to visit an HTTP page, and when they do they use the man-in-the-middle method to redirect the victim to the infected site — at which point the process described in the previous paragraph triggers.

Infection by the Predator spyware using Mars occurs without any action on the part of the victim. This resembles a zero-click attack; however, in this case, additional equipment is used instead of vulnerabilities.

4. Subzero — DSIRF

Targeted OS: Windows

Zero-day vulnerability exploitation: Microsoft Windows, Adobe Reader

Zero-click exploit use: no

Country of origin: Austria

Alternative names: KNOTWEED, Denim Tsunami, MLS Machine Learning Solutions GmbH

The spyware Subzero, developed by the lengthily-named Austrian company DSR Decision Supporting Information Research Forensic GmbH (DSIRF), was first picked up by the German-speaking press back in 2021. However, it wasn’t until a year later that this spyware truly gained notoriety. In July 2022, the Microsoft Threat Intelligence team released a detailed study of spyware used by a group codenamed KNOTWEED (Denim Tsunami), which the researchers identified as DSIRF Subzero.

DSIRF Subzero malware capabilities

Slides from a DSIRF presentation detailing the capabilities of the spyware Subzero. Source

To compromise targeted systems, the Subzero malware exploited several zero-day vulnerabilities in both Windows and Adobe Reader. The attack vector typically involved sending the victim an email containing a malicious PDF file, which triggered a chain of exploits upon opening. As a result, bodiless spyware was launched on the victim’s device.

In the next stage, the spyware collected any passwords and other authentication credentials it could find in the infected system — from browsers, email clients, the Local Security Authority Subsystem Service (LSASS), and the Windows password manager. Presumably, these credentials were later used to gather information about the victim and set up further surveillance.

According to the researchers, the Subzero malware has been used to attack organizations in Europe and Central America since at least 2020. The researchers also noted that DSIRF not only sold spyware but also arranged for its employees to participate in the attacks.

In August 2023, it was announced that DSIRF would be shutting down. But it’s too early to rejoice just yet: it’s possible that cyber-espionage activities will be continued by DSIRF’s subsidiary — MLS, Machine Learning Solutions — which is believed to be the current owner of the Subzero spyware. By the way, the MLS website is still fully operational — unlike the DSIRF page, which was “under maintenance” at the time of writing.

5. Heliconia — Variston IT

Targeted OS: Windows, Linux

Zero-day vulnerability exploitation: Microsoft Defender, Google Chrome, Mozilla Firefox

Zero-click exploit use: no

Country of origin: Spain

Alternative names: none

Also in 2022, around the same time Microsoft published details about Subzero’s activities, Google presented its research analyzing another type of commercial spyware — Heliconia. The Google Threat Analysis Group (TAG) report described three components of this malware designed for attacks on computers running Windows or Linux.

The first part — called Heliconia Noise — exploits a vulnerability in the Google Chrome V8 JavaScript engine. Following its exploitation, Chrome’s sandbox is bypassed, and the spyware launches in the targeted system. Additionally, in the code of this part, a fragment was found mentioning Variston as the malware developer. The Google researchers believe it references the Spanish company Variston IT. This company specializes in providing information security services.

Link to Variston IT in Heliconia code

Researchers discovered a link to a company named Variston in the Heliconica code. Source

The second part of the spyware suite, which the Google researchers dubbed Heliconia Soft, exploits a vulnerability in the JavaScript engine embedded in the Windows antivirus, Microsoft Defender. This works as follows: first, the victim is sent a link to an infected PDF file containing malicious JavaScript code. This code triggers the Microsoft Defender vulnerability when the automatic scan of the downloaded PDF file starts. As a result of exploiting this vulnerability, Heliconia gains OS-level privileges and the ability to install spyware on the victim’s computer.

The third part is called Helicona Files. It exploits a vulnerability in the XSLT processor of the Mozilla Firefox browser to attack computers running Windows or Linux. Judging by this vulnerability, which affects Firefox versions 64 through 68, the spyware was developed quite some time ago and has been in use since at least 2018.

6. Reign — QuaDream

Targeted OS: iOS

Zero-day vulnerability exploitation: Apple iOS

Zero-click exploit use: yes

Country of origin: Israel / Cyprus

Alternative names: DEV-0196, Carmine Tsunami, InReach

QuaDream is another Israeli company that develops spyware called Reign. It was founded by former employees of NSO Group, and the spyware they’ve created bears a striking resemblance to Pegasus. For example, to infect iPhones with Reign spyware, they utilize a zero-click exploit similar to FORCEDENTRY, described above.

Citizen Lab researchers have dubbed this exploit ENDOFDAYS. Apparently, this exploit utilizes vulnerabilities in iCloud Calendar as the initial attack vector, enabling attackers to discreetly infect an iPhone by sending invisible malicious invitations to the calendar.

As for the spying capabilities of the iOS version of Reign, the list looks impressive:

  • searching files and databases
  • recording calls
  • listening through the microphone
  • taking photos with either front or rear cameras
  • stealing passwords
  • generating iCloud two-factor authentication one-time codes
  • tracking location
  • erasing traces of device infection
QuaDream Reign spyware capabilities

Capabilities of the sample iOS version of the QuaDream Reign spyware analyzed by Citizen Lab Source

According to some reports, QuaDream has also developed malware for attacking Android devices, but there’s no publicly available information about it. QuaDream’s penchant for secrecy is similar to that of Candiru. QuaDream also lacks a website, its employees are prohibited from discussing their work on social media, and the company’s office can’t be found on Google Maps.

Interestingly, QuaDream used an intermediary, the Cypriot company InReach, to sell its products. The relationship between these two companies is very complicated; at one point, they even went to court. In April 2023, shortly after publication of the Citizen Lab investigation into QuaDream, the company suddenly announced cessation of its operations; however, it’s not entirely clear yet whether this is a complete surrender or a tactical retreat.

How to defend against commercial spyware

Ensuring full protection against attacks using commercial spyware is generally challenging. However, you can at least make life harder for potential attackers. Follow these recommendations:

  • Regularly update the software on all your devices. First and foremost: operating systems, browsers, and messaging apps
  • Do not click on suspicious links — one visit to a site may be enough to infect your device
  • Use a VPN to mask your internet traffic — this will protect you from being redirected to a malicious site while browsing HTTP pages
  • Reboot regularly. Often, spyware can’t persist in an infected system indefinitely, so rebooting helps get rid of it
  • Install a reliable security solution on all your devices
  • And of course, read security expert Costin Raiu’s post for more tips on how to protect yourself from Pegasus and similar spyware
Tips